diff --git a/README.md b/README.md index 9845cc5..718018f 100644 --- a/README.md +++ b/README.md @@ -14,13 +14,13 @@ The preferred way to install this extension is through [composer](http://getcomp Either run ```shell -composer require hyperia/yii2-secure-headers:"^2.0" +composer require hyperia/yii2-secure-headers:"^3.0" ``` or add ``` -"hyperia/yii2-secure-headers": "^2.0" +"hyperia/yii2-secure-headers": "^3.0" ``` to the require section of your composer.json. @@ -47,7 +47,21 @@ to the require section of your composer.json. 'xFrameOptions' => 'DENY', 'xPoweredBy' => 'Hyperia', 'referrerPolicy' => 'no-referrer', - 'reportUri' => 'https://company.report-uri.com', + 'reportOnlyMode' => false + 'reportUri' => 'https://company.report-uri.com/r/d/csp/enforce', + 'reportTo' => [ + [ + 'group' => 'groupName', + 'max_age' => 10886400, + 'endpoints' => [ + [ + 'name' => 'endpointName', + 'url' => 'https://example.com', + 'failures' => 1 + ] + ] + ] + ] 'cspDirectives' => [ 'connect-src' => "'self'", 'font-src' => "'self'", @@ -61,6 +75,7 @@ to the require section of your composer.json. 'media-src' => "'self'", 'form-action' => "'self'", 'worker-src' => "'self'", + 'report-to' => 'groupname' ], 'featurePolicyDirectives' => [ 'accelerometer' => "'self'", diff --git a/composer.lock b/composer.lock index cb27f5e..ebad7ff 100644 --- a/composer.lock +++ b/composer.lock @@ -1,7 +1,7 @@ { "_readme": [ "This file locks the dependencies of your project to a known state", - "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], "content-hash": "5f1bddbe90e76ea03414452f9f7003ef", @@ -11,14 +11,13 @@ "version": "3.3.11", "source": { "type": "git", - "url": "https://github.com/RobinHerbots/Inputmask.git", + "url": "git@github.com:RobinHerbots/Inputmask.git", "reference": "5e670ad62f50c738388d4dcec78d2888505ad77b" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/5e670ad62f50c738388d4dcec78d2888505ad77b", - "reference": "5e670ad62f50c738388d4dcec78d2888505ad77b", - "shasum": null + "reference": "5e670ad62f50c738388d4dcec78d2888505ad77b" }, "require": { "bower-asset/jquery": ">=1.7" @@ -33,14 +32,13 @@ "version": "3.5.1", "source": { "type": "git", - "url": "https://github.com/jquery/jquery-dist.git", + "url": "git@github.com:jquery/jquery-dist.git", "reference": "4c0e4becb8263bb5b3e6dadc448d8e7305ef8215" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/4c0e4becb8263bb5b3e6dadc448d8e7305ef8215", - "reference": "4c0e4becb8263bb5b3e6dadc448d8e7305ef8215", - "shasum": null + "reference": "4c0e4becb8263bb5b3e6dadc448d8e7305ef8215" }, "type": "bower-asset", "license": [ @@ -58,10 +56,21 @@ "dist": { "type": "zip", "url": "https://api.github.com/repos/bestiejs/punycode.js/zipball/38c8d3131a82567bfef18da09f7f4db68c84f8a3", - "reference": "38c8d3131a82567bfef18da09f7f4db68c84f8a3", - "shasum": null + "reference": "38c8d3131a82567bfef18da09f7f4db68c84f8a3" }, - "type": "bower-asset" + "type": "bower-asset-library", + "extra": { + "bower-asset-main": "punycode.js", + "bower-asset-ignore": [ + "coverage", + "tests", + ".*", + "component.json", + "Gruntfile.js", + "node_modules", + "package.json" + ] + } }, { "name": "bower-asset/yii2-pjax", @@ -74,8 +83,7 @@ "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/aef7b953107264f00234902a3880eb50dafc48be", - "reference": "aef7b953107264f00234902a3880eb50dafc48be", - "shasum": null + "reference": "aef7b953107264f00234902a3880eb50dafc48be" }, "require": { "bower-asset/jquery": ">=1.8" @@ -197,16 +205,16 @@ }, { "name": "yiisoft/yii2", - "version": "2.0.40", + "version": "2.0.42.1", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-framework.git", - "reference": "debb520c1d72a2c97c09d70a2a2a4f600ef3958e" + "reference": "976e2e892af4df933831b5e0a05d0acf4b173d98" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/debb520c1d72a2c97c09d70a2a2a4f600ef3958e", - "reference": "debb520c1d72a2c97c09d70a2a2a4f600ef3958e", + "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/976e2e892af4df933831b5e0a05d0acf4b173d98", + "reference": "976e2e892af4df933831b5e0a05d0acf4b173d98", "shasum": "" }, "require": { @@ -293,7 +301,21 @@ "framework", "yii2" ], - "time": "2020-12-23T15:44:43+00:00" + "funding": [ + { + "url": "https://github.com/yiisoft", + "type": "github" + }, + { + "url": "https://opencollective.com/yiisoft", + "type": "open_collective" + }, + { + "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2", + "type": "tidelift" + } + ], + "time": "2021-05-06T11:44:35+00:00" }, { "name": "yiisoft/yii2-composer", @@ -348,6 +370,20 @@ "extension installer", "yii2" ], + "funding": [ + { + "url": "https://github.com/yiisoft", + "type": "github" + }, + { + "url": "https://opencollective.com/yiisoft", + "type": "open_collective" + }, + { + "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer", + "type": "tidelift" + } + ], "time": "2020-06-24T00:04:01+00:00" } ], @@ -401,6 +437,20 @@ "constructor", "instantiate" ], + "funding": [ + { + "url": "https://www.doctrine-project.org/sponsorship.html", + "type": "custom" + }, + { + "url": "https://www.patreon.com/phpdoctrine", + "type": "patreon" + }, + { + "url": "https://tidelift.com/funding/github/packagist/doctrine%2Finstantiator", + "type": "tidelift" + } + ], "time": "2020-11-10T18:47:58+00:00" }, { @@ -449,20 +499,26 @@ "object", "object graph" ], + "funding": [ + { + "url": "https://tidelift.com/funding/github/packagist/myclabs/deep-copy", + "type": "tidelift" + } + ], "time": "2020-11-13T09:40:50+00:00" }, { "name": "nikic/php-parser", - "version": "v4.10.4", + "version": "v4.10.5", "source": { "type": "git", "url": "https://github.com/nikic/PHP-Parser.git", - "reference": "c6d052fc58cb876152f89f532b95a8d7907e7f0e" + "reference": "4432ba399e47c66624bc73c8c0f811e5c109576f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/c6d052fc58cb876152f89f532b95a8d7907e7f0e", - "reference": "c6d052fc58cb876152f89f532b95a8d7907e7f0e", + "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/4432ba399e47c66624bc73c8c0f811e5c109576f", + "reference": "4432ba399e47c66624bc73c8c0f811e5c109576f", "shasum": "" }, "require": { @@ -501,7 +557,7 @@ "parser", "php" ], - "time": "2020-12-20T10:01:03+00:00" + "time": "2021-05-03T19:11:20+00:00" }, { "name": "phar-io/manifest", @@ -561,16 +617,16 @@ }, { "name": "phar-io/version", - "version": "3.0.4", + "version": "3.1.0", "source": { "type": "git", "url": "https://github.com/phar-io/version.git", - "reference": "e4782611070e50613683d2b9a57730e9a3ba5451" + "reference": "bae7c545bef187884426f042434e561ab1ddb182" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phar-io/version/zipball/e4782611070e50613683d2b9a57730e9a3ba5451", - "reference": "e4782611070e50613683d2b9a57730e9a3ba5451", + "url": "https://api.github.com/repos/phar-io/version/zipball/bae7c545bef187884426f042434e561ab1ddb182", + "reference": "bae7c545bef187884426f042434e561ab1ddb182", "shasum": "" }, "require": { @@ -604,7 +660,7 @@ } ], "description": "Library for handling version information and constraints", - "time": "2020-12-13T23:18:30+00:00" + "time": "2021-02-23T14:00:09+00:00" }, { "name": "phpdocumentor/reflection-common", @@ -754,16 +810,16 @@ }, { "name": "phpspec/prophecy", - "version": "1.12.2", + "version": "1.13.0", "source": { "type": "git", "url": "https://github.com/phpspec/prophecy.git", - "reference": "245710e971a030f42e08f4912863805570f23d39" + "reference": "be1996ed8adc35c3fd795488a653f4b518be70ea" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpspec/prophecy/zipball/245710e971a030f42e08f4912863805570f23d39", - "reference": "245710e971a030f42e08f4912863805570f23d39", + "url": "https://api.github.com/repos/phpspec/prophecy/zipball/be1996ed8adc35c3fd795488a653f4b518be70ea", + "reference": "be1996ed8adc35c3fd795488a653f4b518be70ea", "shasum": "" }, "require": { @@ -813,20 +869,20 @@ "spy", "stub" ], - "time": "2020-12-19T10:15:11+00:00" + "time": "2021-03-17T13:42:18+00:00" }, { "name": "phpunit/php-code-coverage", - "version": "9.2.5", + "version": "9.2.6", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-code-coverage.git", - "reference": "f3e026641cc91909d421802dd3ac7827ebfd97e1" + "reference": "f6293e1b30a2354e8428e004689671b83871edde" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/f3e026641cc91909d421802dd3ac7827ebfd97e1", - "reference": "f3e026641cc91909d421802dd3ac7827ebfd97e1", + "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/f6293e1b30a2354e8428e004689671b83871edde", + "reference": "f6293e1b30a2354e8428e004689671b83871edde", "shasum": "" }, "require": { @@ -880,7 +936,13 @@ "testing", "xunit" ], - "time": "2020-11-28T06:44:49+00:00" + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], + "time": "2021-03-28T07:26:59+00:00" }, { "name": "phpunit/php-file-iterator", @@ -930,6 +992,12 @@ "filesystem", "iterator" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T05:57:25+00:00" }, { @@ -983,6 +1051,12 @@ "keywords": [ "process" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T05:58:55+00:00" }, { @@ -1032,6 +1106,12 @@ "keywords": [ "template" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T05:33:50+00:00" }, { @@ -1081,20 +1161,26 @@ "keywords": [ "timer" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T13:16:10+00:00" }, { "name": "phpunit/phpunit", - "version": "9.5.2", + "version": "9.5.6", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "f661659747f2f87f9e72095bb207bceb0f151cb4" + "reference": "fb9b8333f14e3dce976a60ef6a7e05c7c7ed8bfb" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/f661659747f2f87f9e72095bb207bceb0f151cb4", - "reference": "f661659747f2f87f9e72095bb207bceb0f151cb4", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/fb9b8333f14e3dce976a60ef6a7e05c7c7ed8bfb", + "reference": "fb9b8333f14e3dce976a60ef6a7e05c7c7ed8bfb", "shasum": "" }, "require": { @@ -1124,7 +1210,7 @@ "sebastian/global-state": "^5.0.1", "sebastian/object-enumerator": "^4.0.3", "sebastian/resource-operations": "^3.0.3", - "sebastian/type": "^2.3", + "sebastian/type": "^2.3.4", "sebastian/version": "^3.0.2" }, "require-dev": { @@ -1170,7 +1256,17 @@ "testing", "xunit" ], - "time": "2021-02-02T14:45:58+00:00" + "funding": [ + { + "url": "https://phpunit.de/donate.html", + "type": "custom" + }, + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], + "time": "2021-06-23T05:14:38+00:00" }, { "name": "sebastian/cli-parser", @@ -1216,6 +1312,12 @@ ], "description": "Library for parsing CLI options", "homepage": "https://github.com/sebastianbergmann/cli-parser", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T06:08:49+00:00" }, { @@ -1262,6 +1364,12 @@ ], "description": "Collection of value objects that represent the PHP code units", "homepage": "https://github.com/sebastianbergmann/code-unit", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T13:08:54+00:00" }, { @@ -1307,6 +1415,12 @@ ], "description": "Looks up which function or method a line of code belongs to", "homepage": "https://github.com/sebastianbergmann/code-unit-reverse-lookup/", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T05:30:19+00:00" }, { @@ -1371,6 +1485,12 @@ "compare", "equality" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T15:49:45+00:00" }, { @@ -1418,6 +1538,12 @@ ], "description": "Library for calculating the complexity of PHP code units", "homepage": "https://github.com/sebastianbergmann/complexity", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T15:52:27+00:00" }, { @@ -1474,6 +1600,12 @@ "unidiff", "unified diff" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T13:10:38+00:00" }, { @@ -1527,6 +1659,12 @@ "environment", "hhvm" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T05:52:38+00:00" }, { @@ -1594,20 +1732,26 @@ "export", "exporter" ], + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T05:24:23+00:00" }, { "name": "sebastian/global-state", - "version": "5.0.2", + "version": "5.0.3", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/global-state.git", - "reference": "a90ccbddffa067b51f574dea6eb25d5680839455" + "reference": "23bd5951f7ff26f12d4e3242864df3e08dec4e49" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/global-state/zipball/a90ccbddffa067b51f574dea6eb25d5680839455", - "reference": "a90ccbddffa067b51f574dea6eb25d5680839455", + "url": "https://api.github.com/repos/sebastianbergmann/global-state/zipball/23bd5951f7ff26f12d4e3242864df3e08dec4e49", + "reference": "23bd5951f7ff26f12d4e3242864df3e08dec4e49", "shasum": "" }, "require": { @@ -1648,7 +1792,13 @@ "keywords": [ "global state" ], - "time": "2020-10-26T15:55:19+00:00" + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], + "time": "2021-06-11T13:31:12+00:00" }, { "name": "sebastian/lines-of-code", @@ -1695,6 +1845,12 @@ ], "description": "Library for counting the lines of code in PHP source code", "homepage": "https://github.com/sebastianbergmann/lines-of-code", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-11-28T06:42:11+00:00" }, { @@ -1742,6 +1898,12 @@ ], "description": "Traverses array structures and object graphs to enumerate all referenced objects", "homepage": "https://github.com/sebastianbergmann/object-enumerator/", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T13:12:34+00:00" }, { @@ -1787,6 +1949,12 @@ ], "description": "Allows reflection of object attributes, including inherited and non-public ones", "homepage": "https://github.com/sebastianbergmann/object-reflector/", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T13:14:26+00:00" }, { @@ -1840,6 +2008,12 @@ ], "description": "Provides functionality to recursively process PHP variables", "homepage": "http://www.github.com/sebastianbergmann/recursion-context", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-10-26T13:17:30+00:00" }, { @@ -1885,20 +2059,26 @@ ], "description": "Provides a list of PHP built-in functions that operate on resources", "homepage": "https://www.github.com/sebastianbergmann/resource-operations", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T06:45:17+00:00" }, { "name": "sebastian/type", - "version": "2.3.1", + "version": "2.3.4", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/type.git", - "reference": "81cd61ab7bbf2de744aba0ea61fae32f721df3d2" + "reference": "b8cd8a1c753c90bc1a0f5372170e3e489136f914" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/type/zipball/81cd61ab7bbf2de744aba0ea61fae32f721df3d2", - "reference": "81cd61ab7bbf2de744aba0ea61fae32f721df3d2", + "url": "https://api.github.com/repos/sebastianbergmann/type/zipball/b8cd8a1c753c90bc1a0f5372170e3e489136f914", + "reference": "b8cd8a1c753c90bc1a0f5372170e3e489136f914", "shasum": "" }, "require": { @@ -1931,7 +2111,13 @@ ], "description": "Collection of value objects that represent the types of the PHP type system", "homepage": "https://github.com/sebastianbergmann/type", - "time": "2020-10-26T13:18:59+00:00" + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], + "time": "2021-06-15T12:49:02+00:00" }, { "name": "sebastian/version", @@ -1974,20 +2160,26 @@ ], "description": "Library that helps with managing the version number of Git-hosted PHP projects", "homepage": "https://github.com/sebastianbergmann/version", + "funding": [ + { + "url": "https://github.com/sebastianbergmann", + "type": "github" + } + ], "time": "2020-09-28T06:39:44+00:00" }, { "name": "symfony/polyfill-ctype", - "version": "v1.22.0", + "version": "v1.23.0", "source": { "type": "git", "url": "https://github.com/symfony/polyfill-ctype.git", - "reference": "c6c942b1ac76c82448322025e084cadc56048b4e" + "reference": "46cd95797e9df938fdd2b03693b5fca5e64b01ce" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/c6c942b1ac76c82448322025e084cadc56048b4e", - "reference": "c6c942b1ac76c82448322025e084cadc56048b4e", + "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/46cd95797e9df938fdd2b03693b5fca5e64b01ce", + "reference": "46cd95797e9df938fdd2b03693b5fca5e64b01ce", "shasum": "" }, "require": { @@ -1999,7 +2191,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-main": "1.22-dev" + "dev-main": "1.23-dev" }, "thanks": { "name": "symfony/polyfill", @@ -2036,20 +2228,34 @@ "polyfill", "portable" ], - "time": "2021-01-07T16:49:33+00:00" + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2021-02-19T12:13:01+00:00" }, { "name": "symfony/polyfill-mbstring", - "version": "v1.22.0", + "version": "v1.23.0", "source": { "type": "git", "url": "https://github.com/symfony/polyfill-mbstring.git", - "reference": "f377a3dd1fde44d37b9831d68dc8dea3ffd28e13" + "reference": "2df51500adbaebdc4c38dea4c89a2e131c45c8a1" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/f377a3dd1fde44d37b9831d68dc8dea3ffd28e13", - "reference": "f377a3dd1fde44d37b9831d68dc8dea3ffd28e13", + "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/2df51500adbaebdc4c38dea4c89a2e131c45c8a1", + "reference": "2df51500adbaebdc4c38dea4c89a2e131c45c8a1", "shasum": "" }, "require": { @@ -2061,7 +2267,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-main": "1.22-dev" + "dev-main": "1.23-dev" }, "thanks": { "name": "symfony/polyfill", @@ -2099,20 +2305,34 @@ "portable", "shim" ], - "time": "2021-01-07T16:49:33+00:00" + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2021-05-27T09:27:20+00:00" }, { "name": "symfony/polyfill-php80", - "version": "v1.22.0", + "version": "v1.23.0", "source": { "type": "git", "url": "https://github.com/symfony/polyfill-php80.git", - "reference": "dc3063ba22c2a1fd2f45ed856374d79114998f91" + "reference": "eca0bf41ed421bed1b57c4958bab16aa86b757d0" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/dc3063ba22c2a1fd2f45ed856374d79114998f91", - "reference": "dc3063ba22c2a1fd2f45ed856374d79114998f91", + "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/eca0bf41ed421bed1b57c4958bab16aa86b757d0", + "reference": "eca0bf41ed421bed1b57c4958bab16aa86b757d0", "shasum": "" }, "require": { @@ -2121,7 +2341,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-main": "1.22-dev" + "dev-main": "1.23-dev" }, "thanks": { "name": "symfony/polyfill", @@ -2165,20 +2385,34 @@ "portable", "shim" ], - "time": "2021-01-07T16:49:33+00:00" + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2021-02-19T12:13:01+00:00" }, { "name": "symfony/var-dumper", - "version": "v5.2.3", + "version": "v5.3.2", "source": { "type": "git", "url": "https://github.com/symfony/var-dumper.git", - "reference": "72ca213014a92223a5d18651ce79ef441c12b694" + "reference": "905a22c68b292ffb6f20d7636c36b220d1fba5ae" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/var-dumper/zipball/72ca213014a92223a5d18651ce79ef441c12b694", - "reference": "72ca213014a92223a5d18651ce79ef441c12b694", + "url": "https://api.github.com/repos/symfony/var-dumper/zipball/905a22c68b292ffb6f20d7636c36b220d1fba5ae", + "reference": "905a22c68b292ffb6f20d7636c36b220d1fba5ae", "shasum": "" }, "require": { @@ -2236,7 +2470,21 @@ "debug", "dump" ], - "time": "2021-01-27T10:15:41+00:00" + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2021-06-06T09:51:56+00:00" }, { "name": "theseer/tokenizer", @@ -2276,34 +2524,45 @@ } ], "description": "A small library for converting tokenized PHP source code into XML and potentially other formats", + "funding": [ + { + "url": "https://github.com/theseer", + "type": "github" + } + ], "time": "2020-07-12T23:59:07+00:00" }, { "name": "webmozart/assert", - "version": "1.9.1", + "version": "1.10.0", "source": { "type": "git", "url": "https://github.com/webmozarts/assert.git", - "reference": "bafc69caeb4d49c39fd0779086c03a3738cbb389" + "reference": "6964c76c7804814a842473e0c8fd15bab0f18e25" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/webmozarts/assert/zipball/bafc69caeb4d49c39fd0779086c03a3738cbb389", - "reference": "bafc69caeb4d49c39fd0779086c03a3738cbb389", + "url": "https://api.github.com/repos/webmozarts/assert/zipball/6964c76c7804814a842473e0c8fd15bab0f18e25", + "reference": "6964c76c7804814a842473e0c8fd15bab0f18e25", "shasum": "" }, "require": { - "php": "^5.3.3 || ^7.0 || ^8.0", + "php": "^7.2 || ^8.0", "symfony/polyfill-ctype": "^1.8" }, "conflict": { "phpstan/phpstan": "<0.12.20", - "vimeo/psalm": "<3.9.1" + "vimeo/psalm": "<4.6.1 || 4.6.2" }, "require-dev": { - "phpunit/phpunit": "^4.8.36 || ^7.5.13" + "phpunit/phpunit": "^8.5.13" }, "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.10-dev" + } + }, "autoload": { "psr-4": { "Webmozart\\Assert\\": "src/" @@ -2325,7 +2584,7 @@ "check", "validate" ], - "time": "2020-07-08T17:02:28+00:00" + "time": "2021-03-09T10:59:23+00:00" } ], "aliases": [], @@ -2336,5 +2595,6 @@ "platform": { "php": "^7.2" }, - "platform-dev": [] + "platform-dev": [], + "plugin-api-version": "1.1.0" } diff --git a/src/Headers.php b/src/Headers.php index 99ecc4c..a1ea12c 100644 --- a/src/Headers.php +++ b/src/Headers.php @@ -10,6 +10,7 @@ use hyperia\security\headers\XFrameOptions; use hyperia\security\headers\XPoweredBy; use hyperia\security\headers\XssProtection; +use hyperia\security\headers\ReportTo; use Yii; use yii\base\BootstrapInterface; use yii\base\Application; @@ -126,6 +127,22 @@ class Headers extends Component implements BootstrapInterface */ public $contentTypeOptions = true; + /** + * Content-Security-Policy-Report-Only + * + * @access public + * @var boolean + */ + public $reportOnlyMode = false; + + /** + * Report To policy + * + * @access public + * @var array + */ + public $reportTo = []; + /** * Bootstrap (set up before request event) * @@ -147,11 +164,13 @@ public function bootstrap($app) new FeaturePolicy($this->featurePolicyDirectives), new ReferrerPolicy($this->referrerPolicy), new XssProtection($this->xssProtection, $this->reportUri), + new ReportTo($this->reportTo), new ContentSecurityPolicy($this->cspDirectives, [ 'requireSriForScript' => $this->requireSriForScript, 'requireSriForStyle' => $this->requireSriForStyle, 'blockAllMixedContent' => $this->blockAllMixedContent, 'upgradeInsecureRequests' => $this->upgradeInsecureRequests, + 'reportOnlyMode' => $this->reportOnlyMode ], $this->reportUri) ]; diff --git a/src/headers/ContentSecurityPolicy.php b/src/headers/ContentSecurityPolicy.php index a6d8b4e..6a0788b 100644 --- a/src/headers/ContentSecurityPolicy.php +++ b/src/headers/ContentSecurityPolicy.php @@ -10,6 +10,7 @@ class ContentSecurityPolicy implements PolicyInterface private $requireSriForStyle; private $blockAllMixedContent; private $upgradeInsecureRequests; + private $reportOnlyMode; private $defaultDirectives = [ 'connect-src' => "'self'", 'font-src' => "'self'", @@ -37,11 +38,12 @@ public function __construct(array $directives, array $params, string $reportUri) $this->requireSriForStyle = $params['requireSriForStyle'] ?? false; $this->blockAllMixedContent = $params['blockAllMixedContent'] ?? false; $this->upgradeInsecureRequests = $params['upgradeInsecureRequests'] ?? false; + $this->reportOnlyMode = $params['reportOnlyMode'] ?? false; } public function getName(): string { - return 'Content-Security-Policy'; + return $this->reportOnlyMode ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'; } public function getValue(): string @@ -66,13 +68,6 @@ public function getValue(): string public function isValid(): bool { - $allowedDirectives = array_keys(array_merge($this->defaultDirectives, $this->defaultCsp)); - foreach ($this->directives as $directive => $value) { - if (!in_array($directive, $allowedDirectives) && !empty($value)) { - return false; - } - } - return true; } @@ -81,7 +76,7 @@ private function getCspReportUri(): array $report = []; if (!empty($this->reportUri)) { $report = [ - 'report-uri' => $this->reportUri . '/r/d/csp/enforce' + 'report-uri' => $this->reportUri ]; } diff --git a/src/headers/FeaturePolicy.php b/src/headers/FeaturePolicy.php index 5c15cc1..aab497d 100644 --- a/src/headers/FeaturePolicy.php +++ b/src/headers/FeaturePolicy.php @@ -55,13 +55,6 @@ public function getValue(): string public function isValid(): bool { - $allowedDirectives = array_keys($this->defaultDirectives); - foreach ($this->directives as $directive => $value) { - if (!in_array($directive, $allowedDirectives) && !empty($value)) { - return false; - } - } - return true; } } diff --git a/src/headers/ReportTo.php b/src/headers/ReportTo.php new file mode 100644 index 0000000..ace2970 --- /dev/null +++ b/src/headers/ReportTo.php @@ -0,0 +1,28 @@ +groups = $groups; + } + + public function getName(): string + { + return 'Report-To'; + } + + public function getValue(): string + { + return json_encode($this->groups); + } + + public function isValid(): bool + { + return true; + } +} diff --git a/src/headers/XssProtection.php b/src/headers/XssProtection.php index 7c55e06..0918f00 100644 --- a/src/headers/XssProtection.php +++ b/src/headers/XssProtection.php @@ -32,7 +32,7 @@ private function getXssProtectionReportPart(): string { $report = ''; if (!empty($this->reportUri)) { - $report = ' report=' . $this->reportUri . '/r/d/xss/enforce'; + $report = ' report=' . $this->reportUri; } return $report; diff --git a/tests/headers/ContentSecurityPolicyTest.php b/tests/headers/ContentSecurityPolicyTest.php index f75b2fd..1290f99 100644 --- a/tests/headers/ContentSecurityPolicyTest.php +++ b/tests/headers/ContentSecurityPolicyTest.php @@ -17,26 +17,29 @@ public function testCommon(): void ], [ 'upgradeInsecureRequests' => false, 'blockAllMixedContent' => true - ], 'https://www.example.com'); + ], 'https://www.example.com/r/d/csp/enforce'); $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue()); $this->assertSame('Content-Security-Policy', $policy->getName()); $this->assertTrue($policy->isValid()); } - public function testInvalid(): void + public function testReportOnlyMode(): void { $policy = new ContentSecurityPolicy([ 'object-src' => "'self'", 'media-src' => "'self'", 'form-action' => "'self'", - 'child-src' => "'self'" + 'frame-src' => "'self'" ], [ 'upgradeInsecureRequests' => false, - 'blockAllMixedContent' => true - ], 'https://www.example.com'); + 'blockAllMixedContent' => true, + 'reportOnlyMode' => true + ], 'https://www.example.com/r/d/csp/enforce'); - $this->assertFalse($policy->isValid()); + $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue()); + $this->assertSame('Content-Security-Policy-Report-Only', $policy->getName()); + $this->assertTrue($policy->isValid()); } public function testWithSubresourceIntegrity() @@ -48,7 +51,7 @@ public function testWithSubresourceIntegrity() ], [ 'requireSriForScript' => true, 'requireSriForStyle' => true - ], 'https://www.example.com'); + ], 'https://www.example.com/r/d/csp/enforce'); $this->assertTrue($policy->isValid()); $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; require-sri-for script style; report-uri https://www.example.com/r/d/csp/enforce", $policy->getValue()); @@ -61,7 +64,7 @@ public function testDefaultSrc(): void ], [ 'upgradeInsecureRequests' => false, 'blockAllMixedContent' => true - ], 'https://www.example.com'); + ], 'https://www.example.com/r/d/csp/enforce'); $this->assertSame("default-src *; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue()); $this->assertTrue($policy->isValid()); @@ -72,7 +75,7 @@ public function testDefaultSrc(): void ], [ 'upgradeInsecureRequests' => false, 'blockAllMixedContent' => true - ], 'https://www.example.com'); + ], 'https://www.example.com/r/d/csp/enforce'); $this->assertSame("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue()); $this->assertTrue($policy->isValid()); @@ -85,7 +88,7 @@ public function testWithChildSrc(): void ], [ 'upgradeInsecureRequests' => false, 'blockAllMixedContent' => true - ], 'https://www.example.com'); + ], 'https://www.example.com/r/d/csp/enforce'); $this->assertNotTrue($policy->isValid()); $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; child-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue()); diff --git a/tests/headers/XssProtectionTest.php b/tests/headers/XssProtectionTest.php index 9422868..caaf63b 100644 --- a/tests/headers/XssProtectionTest.php +++ b/tests/headers/XssProtectionTest.php @@ -14,7 +14,7 @@ class XssProtectionTest extends TestCase public function setUp(): void { - $this->header = new XssProtection(true, 'example.com'); + $this->header = new XssProtection(true, 'example.com/r/d/xss/enforce'); } public function testGetValue(): void